I would say that an FTP/TLS server implementation
(I.E. code) which does not allow the user/administrator to change CipherSuites,
is broken.
The choice of CipherSuites should be
a security decision, based around a risk analysis from the Business. How
a developer can assume that that analysis can have only one outcome is
beyond understanding.
I would be against defining a 'minimum
CipherSuite' or some-such in AS3 (I have not defined one in the FTP/TLS
document); as yesterday's 'minimum' is tomorrow's 'trivially broken' and
providing a proscriptive method to force insecurity seems wrong to me.
If two peers wish to share business
data, the security controls around that data should be mutually decided
and not left to a technical specification. The basic way that this
mutual decision is embodied, is in the TLS Handshake's CipherSuite negotiation;
I see no compelling reason to augment or restrict that in a higher level
protocol document.
If anything, AS3 should mandate that
the allowed CipherSuite values MUST be configurable on both Client and
Server. IIRC, AS2 is silent on this - https (if used) has the same
problem.
Paul
--
Paul Ford-Hutchinson, CISSP : eCommerce application security
e: paulfordh@xxxxxxxxxx
e: paul.ford-hutchinson@xxxxxxxxxxxxxxxxxxx
p: MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL
t: +44 (0)1926 462005
w: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
"Kyle Meadors"
<kyle@xxxxxxxxxxxxxxxxx>
Sent by: owner-ietf-ediint@xxxxxxxxxxxx
21/06/2005 19:58
|
|
To
| <ietf-ediint@xxxxxxx>
|
|
cc
|
|
|
Subject
| question on cipher suites |
|
An issue was recently brought up in regards
to using TLS in AS3. Within the TLS handshaking, the connecting AS3 application
only uses one cipher, 3DES, in the handshaking. In this case, the FTP server
receiving the connection does not support 3DES but does support others.
Since the AS3 app does not support anything but 3DES, it can not work through
the handshaking to find a cipher both agree on.
Would it be necessary to state something
within the AS3 draft about supporting a specific set of ciphers. Or, is
this outside the scope of AS3 since it may lie only with the FTP server
be beyond the control of the AS3 application.
Kyle Meadors
Principal, Test Process
Drummond Group Inc.
615.384.5006
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.8/22 - Release Date: 6/17/2005
|
